CVE-2026-22713
Cross-Site Scripting in Mediawiki GrowthExperiments Extension
Publication date: 2026-01-09
Last updated on: 2026-02-12
Assigner: wikimedia-foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| growth | growthexperiments | 1.39 |
| growth | growthexperiments | 1.43 |
| growth | growthexperiments | 1.44 |
| growth | growthexperiments | 1.45 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-22713 is a stored Cross-Site Scripting (XSS) vulnerability in the GrowthExperiments extension of MediaWiki. It occurs because the extension inserts parsed, user-controlled wikitext into autocomments that appear in edit summaries without proper escaping. This allows any user with edit permissions to inject malicious scripts that execute when the edit summaries are rendered in various parts of the interface, such as page history and recent changes. The root cause is the unsafe use of parsed HTML messages with user-supplied parameters, enabling script injection. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker with edit permissions to inject and execute arbitrary JavaScript code in the context of users viewing edit summaries. This can lead to session hijacking, defacement, or other malicious actions performed on behalf of the victim user. Since the malicious scripts execute in various UI components displaying edit summaries, it can affect multiple users and compromise the integrity and security of the MediaWiki installation. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to reproduce the stored XSS attack in the GrowthExperiments extension. Specifically, you can test if user-controlled wikitext is improperly escaped in edit summaries by following these steps: 1. Create a template named `Template:AutocommentPayload` containing the payload `<pre tabindex="0" data-xss="[[#/autofocus/onfocus=alert(1);//">]]</pre>`. 2. Edit an existing page and set the edit summary to `/*growthexperiments-manage-mentors-summary-add-admin-no-reason:{{AutocommentPayload}}*/`. 3. View the changes or page history to see if the payload executes (e.g., an alert box appears). This confirms the presence of the vulnerability. There are no specific network commands provided, but manual testing via the MediaWiki UI or automated scripts simulating these steps can detect the issue. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1. Apply the official patches that escape system messages used in edit summaries to prevent script injection. These patches were merged across multiple branches and deployed in the December 1, 2025 security deployment window. 2. Restrict or review permissions for users with the `editinterface` permission, as only users with this permission can exploit the vulnerability. 3. Avoid using affected versions of the GrowthExperiments extension (1.39, 1.43, 1.44, 1.45) and upgrade to a fixed version such as MediaWiki 1.46.0-alpha with the patched extension. 4. Monitor edit summaries and related UI components for suspicious scripts or payloads until the patch is applied. [1]